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ELECTRONIC KEY SYSTEM i\ND ELECTRONIC KEY USAGE METHOD 



Field of the Invention 

The present invention relates Lo au electronic key 
system and an electronic key usage method which judge whether 
provision ul various kinds of-, services are to be allowed 
or denied by storing an electronic lcey in a device, such 
as an IC card/ and more particularly to an electronic key 
method and an electronic key system in which an electronic 
key is shared among plural users. 

Background of the Invention 

A service providing method using an electronic key 
stored in an lu card has been disclosed as means which judges 
allowance or denial of the provision of services of various 
kinds (see Japanese Patent Laid-open Publication No. 
2002-279360) . To he more specific, the room key of a hotel 
or the key of a rental car booked in advance is stored in 
an ic card in the form of an electronic key/ and an apparatus,- 
which is installed at a site where the services are to be 
provided and judges allowance ox denial of the provision 
of services,, reads out the electronic key from r.ha ic card, 
so that the door is unlocked when the read information of 
the p.l p.r.r.roni r. kp.y is judged as being valid. 

Also, there has been disclosed an apparatus which reads 
out an electronic key from an IC card, and judges allowance 



or denial of the provision of services by judging the validity 
of the information or the electronic key (see Japanese Patent 
Laid-open Publication No, 2002-279360 and Japanese Patent 
Laid-open Publication No. H7-233663) , 
5 The prior arts described above fail to disclose a method 

which permits plural users to use the services jointly by 
sharing an electronic key. A ronr.eivah.lfi, simple electronic 
key sharing method is a method in which on electronic key 
is shared by copying the same electronic key in all the ic 

10 cards owned by the respective users. This method/ however , 
raises a problem as follows. That is, for example/ in case 
of Ins* or theft of any of the IC cards in which the same 
electronic key is copied/ it is necessary to invalidate the 
electronic key in the service orovidinq apparatus in order 

15 toprevent the unauthorised use of the lost IC card. However, 
when any one of the same/ plural electronic keys is invalidated/ 
thp. ro.at nf the p.lftr.trnnir. keys become invalid as well. 

Summary or the Invention 

20 The invention was devised in view of the foregoing, 

ttiid there! ore has ctxi ubj ect to eliminate the need to invalidate 
the rest of the electronic keys even when some of the 
electronic keys shared among users are invalidated* 

In order to achieve the above and other objects, in 

25 the invention/ electronic key data, formed from main ID data 
used as a first identifier and sub id data used as a second 
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identifier, is stored in a user module, such as an IC card 
owned by a user/ and two tables , a service allowance table 
and a service denial table, are held in a service providing 
device which j udyes allowance or denial of the use of services, 
5 so that the service providing device judges r.he validity 
of the electronic key data. 

For example, an electronic key system which provides 
cervices with the uee of an electronic key includes a user 
module which has stored electronic key data having a main 

10 ID and a sub ID to identify an electronic kP.y, and a service 
providing device which judges allowance or denial of the 
provision ol services. 

The invention provides the electronic key system, 
wherein the user module includes accepting means which 

15 accepts an electronic key transm.iss.ior> rp.qn*st from the 
service providing device/ and transmitting means which 
transmits the electronic key data to the service providinq 
device; and the service providing device includes storing 
means which stores service allowance information to allow 

20 the provision of services and sp.rvir.e deniai information 
to deny the provision of services, accepting means which 
ar.rflpr.s ftlectronic key data from the user module, first 
judging means? which judges whether the main ID in the accepted 
electronic key data is pxesexil in the service allowance 

25 information, second judging means which judges whether the 
sub ID in the accepted electronic key data is present in 
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the service denial information, and provision judging means 
which judges allowance or denial of the provision of services 
according to results of the first and second judgments. 

Brief Description of the Drawings 

Fiy. 1 is a view showing the system configuration 
according to a first embodiment of the invention; 

Fig. 2 is a view showing the hardware configuration 
according to the first embodiment of the iiivention; 

Fig. 3 is a view showing the functional configuration 
according to the firs I embodiment of the invention; 

Fig. 4A is a view showing the data configuration of 
user module according to the first embodiment of the 
invention; 

Fig. 4B is a view showing the data r.nnf iguration of 
electronic key managing apparatus according to the first 
embodiment of the invention; 

Fig. 4C is a view showing the data configuration of 
service providing device accordiny to the first embodiment 
of the invention; 

Fig . 5 is a flowchart of electronic key usage processing 
according to the first embodiment of the invention; 

Fig. 6 is another flowchart of electronic key usage 
processing according to the fix si embodiment of the 
invention; 

fig. 7 is a flowchart of electronic key sharing 



processing according to the first embodiment of the 
invention; 

Fig . 9 shows an example of a data value when an electronic 
key is shcixed, according to the first embodiment of the 
5 invention; 

Fig. 9 shows another example of a data value when an 
electronic: key is shared/ according to the first embodiment 
of the invention; 

rig. 10 is a flowchart of electronic key invalidation 
10 processing according to the first emboditnpnt of the* 
invention; 

Fig. llA shows examples of screen display during che 
sharing processing according to the first embodiment of the 
invention; 

15 Fig. 11B shows examples of screen display during the 

invalidation processing according to the first embodiment 
at the invention; 

Fig. 12A is a view showing the data configuration of 
user module according Lo a second embodiment of the invention; 
20 Fig. 12B is a vj ew showing the data configuration ol 

electronic key managing apparatus according to the aecond 
embodiment of the invention; 

Fig, 12C is a view showing the data configuration of 
service providing device according Lu the second embodiment 
25 of the invention; 

Fig. 13 is a flowchart uf electionic key purchase 
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processing according to the second embodiment of the 
invention; 

Fig. 14A shows examples of screen display during the 
purchase processing accurdiay to the second embodiment of 
5 the invention. 

Fig. 14B shows examples of the display during the charing 
processing according to the second embodiment of the 
invention; and 

Jj'ig. 14C shows examples of the display screen duriuy 
10 the invalidation processing according to the second 
embodiment ol the invention. 

Description of the Preferred Embodiment 

A first embodiment of the present invention will now 
15 be described. This embodiment is an example wh*n an 
electronic key is adapted for use as the door key of a 
resi rip.ncft. 

Fig. 1 is a view showing the system configuration of 
an electronic key system to which the present invention is 
20 applied. 

As is shown in the drawing, the system of this embodiment 
includes user modu les 100, user terminals 200, an electronic 
key managing apparatus 300 and service providing devices 
400, all or which are interconnected via a network 520, such 
25 as the Internet- 
Each user module 100 is a device which stores electronic 
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.. key data r and transmits and generates the electronic key 
data depending on predetermined processing described below. 
In order to prevent forgery, unauthorised copying of an 
electronic key, it is preferable to use a tamper-resislaiiL 
5 device; cuch as an IC card, as the user module 100. 

Each user terminal 200 is <* terminal owed by each user 
who wishes to use the services. The terminal 200 of a mobile 
type is connected to the network 520 via a network 510, cuch 
as a rnnhi 1 A-phone network. 

10 The electronic key managing apparatus 300 manages an 

electronic key in various manners, including the issuance 
and invalidation of an electronic key i n response to a request 
from the user. The electronic key managing apparatus 300 
is, tor example, a WEB site. Each service providing device 

15 400 is a device which judges the validity of an electronic 
key stored in Lhe use:" module 100, and judges allowance or 
denial of the provision of services according to the result 
of judgment. In this embodiment, the service providing 
device 400 is a device which is installed at the door of 

20 'the user's residence and connected to an electromagnetic . 
lock or the like/ so that it judges Lhe validity of the 
electronic key and locks or unlocks the door upon jxidging 
that the electronic key is valid. . 

The hardware conf i guration of the electronic key system 

25 will now be described. 

Fig. z shows the hardware configuration of the 
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respective components : the user module 100, the user terminal 
200, the electronic key managing apparatus 300, and the 
service providing device 400. 

The user terminal 200 can be, for example/ * typical 
5 computer system including a CPU 901 which processes and 
computes datci ciccoiding to programs; a memory 902 into/ from 
which the CPU 901 can direct ly wri te/ rp.ad nut data , an external 
storage apparatus 903, such as a hard disc/ a communication 
apparatus ^U4 which enables data communications with an 

10 external system, an input apparatus 905, such as a keyboard, 
keybuttons, anda voice input device/ and an output apparatus 
906, such as a display or a printer. To be more specific, 
the user terminal 200 can be a mobile phone, a PHS (Personal 
Handy-Phone System), a PDA (Personal Diqital AssisLaxiL) , 

15 a PC (Personal Computer), etc. 

As with the user terminal 200, the electronic key 
managing apparatus 300 r.an he a typical computer system. 
To be more specific, the electronic key managing apparatus 
300 can be a server, a host computer, etc. 

2 0 The user module 100 is a computer apparatus including* 

of Lhe coxif iyuraliuju shown in Fig. 2, at least the CPU 901 
which processes and computes data according to programs, 
the memory 902 into/ from which the CPU 901 con directly 
write/read out data, and the communication apparatus 904 

25 which enablco communications with an external system. The 
user module 100 can be, £or example, an IC card. 
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The service providing device 400 is a computer apparatus 
including, of the configuration shown in rig. 2, at least 
the CPU 901 which processes and computes data according to 
programs, the memory 902 into/froxu which the CPU 901 can 
5 directly write/read out data, and the communication 
apparatus 904 which enables data communications with an 
external system. 

The functional configuration of the electronic key 
system will now be described. 

10 Fig, 3 is a view showing the functional configuration 

of each component shown iii Fig. 1. Functions of the 
respective components described below are achieved by 
independently running predetermined programs otorcd or 
loaded into their respective memories 902, that is to say, 

15 by running a program for the user module 100 in the CPU 901 
of the user module 100/ a program for the user terminal 200 
in the CPU 901 of th* n.ssr terminal 2UU, a program for the 
electronic key managing apparatus 300 in the CPU 901 of the 
electronic key managing apparatus 300, and a proqram for 

20 the service providing device 400 in the CPU 901 of the service 
providing device 400. 

The user module inn includes a rnnf.rol unit 181, a 
storage unit 182/ a user terminal communication unit 
(hftreir.atr.er, referred to as the UT communication unit ) 183, 

25 and a local area wireless communication unit 184. The 
control unit 181 controls the respective units in the user 
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module 100, The storage unit 182 ctorcc programs and data 
in thP. memory yuz. The. UT communication unit 183 
tranamita/receivea data to/from the user terminal 200 by 
means of the communication apparatus 904. The local area 
wireless communication unit 184 transmits/receives data 
to/from the service providing device 400 or another user 
module 100 through wireless communications by means of the 
communication apparatus 904, Examples of such wireless 
communication a Include a wireless-LAN, 1SO/1LC14443, etc 
Alternatively/ the uecr terminal 200 may include the local 
area wireless communication unit 184, so that the user module 
100 communicates with the service providing device* 400 or 
the like via the user terminal 200. 

The user terminal 200 includes a control unit 281/ a 
storage unit 282, an input unit 283, a wide area wireless 
communication unit 2 84, a display unit 285, and a user module 
communication unit (hereinaf t er, referred to as the UM 
communication unit) 286. The control unit 281 conttole the 
respective units in the user terminal 200. The storage unit 
282 stores programs and data in the external storage apparatus 
903. The input unit 283 accepts a data input from the user 
through the input apparatus 905. The wide area wireless 
communication unit 284 transmits/receives data to/from the 
electronic frey managing apparatus 300 or another user 
terminal 200 by means of the communication apparatus 904. 
The display unit 285 displays data to the user by means of 
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the output apparatus 906. The UM communication unit 28 6 
transmits/receives data to/from the user module 100. 

The electronic key managing apparatus 300 includes a 
control unit 381-, a storage unit 382/ and a communication 
5 unit 383 . The control unit 381 controls the respective units 
in the electronic key managing apparatus 300. The storage 
unit 3 82 stores programs and data in the external storage 
apparatus 903. The.. communication unit 303 

transmits/receives data to/from th« us«r terminal 100 or 

10 the service providing device 400 via the network 52 0 by means 
of the communication apparatus 904. 

The service providing device 4 00 includes a control 
unit 481, a storage unit 482, a communication unit 403, and 
a local arpa wireless communication unit 484. The control 

15 unit 481 controls the respective unite in the service 
providing device 400. The storage unit 482 stores programs 
and data in the memory 902- The communication unit 483 
transmits/receives data to/from the electronic key managing 
apparatus 3nn by,Tnp.ans of the communication apparatus 904 . 

20 The local area wireless communication unit 484 
transmits/receives data to/from the user module 100. 

The data configuration of various kinds of data used 
in the electronic key system will now be described- 
Fig. 4A, Fig- 4B and Fig. 4C aro views showing tha 

25 data configurations of various kinds of data U3ed in the 
electronic key system . As is shown in the drawing/ various 
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kinds of data described below are stored in the user module 

100, the electronic key managing apparatus 300, and the 

service providing device 400. 

Fig, 4A is a view showing the data configurations of 

the user module 100. 

in the user module 100 are stared user wudule 

authentication key data (hereinaf ter, referred to as the 
UM authentication key data) 110 used as an encryption key, 

and a user electronic key table 120. The DM authentication 
key data 110 ia encryption key data used in mutual 
authentication processing described below. The encryption 
key data can be, for example, a common key used in a common-key 
encryption scheme. Examples of the common-key encryption 
srhftirifl include DES (Data Encryption Standard)-/ A£S (Advanced 
Encryption Standard), etc. 

The user electronic key table 120 is a set of data in 
which information of the electronic key owned by the user 
is stored. The user electronic key table 120 includea a key 
nam* indicating thft name ot an electronic key, a main ID 
uced as a first identifier to identify the electronic key, 
a shared hierarchy indicating a range within which the 
electronic key can be shared, and the history of a sub ID 
used as a second identifier to identify the electronic key. 

In the key name is set a name (for example., ^the xx 
residence") for the user to identify the service providing 
device 4nn for which thp electronic key is issued, in the 
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main ID is set a unique ID different from the main ID' s of 
the other al ready-issued electronic keys to be discriminated 
from these other electronic kcyc . For example, the 
electronic key managing apparatus 300 may manage serial 
numberG while counting up the value thereof each time an 
electronic key is issued, so that this sequentially 
counted-up value is set in the main ID. 

In the shared hierarchy is set a numerical value of 
*0" or *J" or greater. In the case of ^Q", it means that 
the electronic key cannot be shared. Also, in a case where, 
for example, ^2" is set in the shared hierarchy, the user 
A permits the user B to share the el er.frnni r. key as a tirst 
shared hierarchy, and further, the user B permits the user 
C to share the electronic key as a second shared hierarchy. 
AI30, in a case where w l" is set in the shared hierarchy, 
the user A permits the user B to share the electronic key 
as the first shared hierarchy, but the user B inhibits the 
user C to share the electronic key ac the second shared 
hierarchy. The value indicating the impossibility to share 
the electronic key is not limited to *0", and it can be any 
predetermined/ specific value. 

The sub ID is the second identifier to identify the 
electronic key, and the sub ID history can store plural kinds 
of sub ID data, when the electronic key managing apparatus 
300 issues or provides a new user modulo to the user, the 
data set in the sub ID in a client table 330 described below 
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is set in the sub ID history. In this embodiment/ the mobile 
phone number ot . the user is used as the sub ID. 

Fig. 4D is a view showing the data configurations of 
the electronic key managing apparatus 300. 

In the electronic key managing apparatus 300 are stored 
service device aulhejjliuation key data (hereinafter, 
referred to as the SD '' authentication key data) 310, TIM 
authentication key data 320, and the client table 330, As 
with the UM authentication keydatallO, the authentication 
key data 310 and the UM authentication key data 320 are 
encryption key data used in the mutual authentication 
processing. In a case where the coTrmon-kpy enr.rypti on scheme 
is used/ data having the same value as the UM authentication., 
key data iiO of the user module 100 is set In the UM 
authentication key data 32 0 of the electronic key managing 
apparatus 300. 

The client table 330 is a set of data which manages 
various kinds of information related to the users. The 
client table 330 includes a membership number to uniquely 
identify the user, a password comprising an alpha-numerical 
sequence to authenticate Lhe user, a sub ID to identify the 
user among those sharing the electronic key when rh« 
electronic key is shared, a main ID to identify the electronic 
kpy assignp.ri ro r.h« n.ssr, and an SD address, in the main 
ID i3 set the same value as the main ID ect in the user module 
100 of the user who applied for the use of services. In the 
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sub ID i3 set the same value as the sub ID data initially 
set in the sub ID of the user electronic key table 120 described 
above. In the servicco of this embodiment, the mobile phone 
number is used as the sub ID. The 5D address is a network 
5 address of the service providing device 400 over the network 
520, and is used to enable the electronic key managing 
apparatus 300 to transmit/rece"- vp. data to/from the service 
providing device 400, To be more specific, an IP address 
or the like is used. 

10 Fig, 4C is a view showing the data configurations of 

the service providing device 400. 

In the service providing device 4 00 are stored SD 
authentication key data 410, UM authentication key data 420, 
a service allowance table 430, and a service denial Lable 

IS 140 . As with the UM authentication key data 110 or the like, 
Lhe SD authentication key data 410 and the UM authentication 
key data 420 are encryption key data used in the mutual 
authentication processing. In a case where the common-key 
encryption scheme is used, data havinc. the same value as 

20 the SD authentication key data -310 of the electron jc key 
managing apparatus 300 is set in the SD authentication key 
data 410 of the service providing riesvi r. R 400. Also, data 
having the same value &3 the UM authentication key data 320 
nf r.he electronic key managing apparatus 300 and the UM 

25 authentication key data 110 of the user module 100 is set 
in the UM authentication key data 420 of the service providing 
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device 400. 

'Xhe service allowance table 430 is a table which is 
used in the service providing device 400 to identify an 
electronic key for which the use of services is allowed, 
and includes data of the main ID for which the use of services 
is allowed. The service denial table 440 is a table which 
is used in the service providing device 400 to identify an 
electronic key for which the use of services is inhibited, 
and includes data of the main id and the sub iv for which 
the use of services is inhibited. The same value as the main 
ID set in the user module which uses the service providing 
device 400 is set in the mairi TO in thp sprvirrp. allowance 
table 430 and in the service denial table 440. 

in this embodiment, assume that various kinds of data 
shown in Fig. 4A, Fig. 4B and Fig. 4C, except for the data 
in the service denial table 440, are pre-set in the memory 
902 or the external storage apparatus 903 in P.ach r.ompnnp.nt . 
For example, at the timing at which the user applies for 
the use of services to the service provider, the electronic 
key managing apparatus 300 sets predetermined data in the 
ineiuury 902 or the external stuiaye appar atus 903 in each 
component, and distributes and locates the user module inn, 
the service providing device 400, etc. 

With reference to Fig. 5, the rlow of the processing 
when the user is to receive the provision of cervices {the 
door of the residence is unlocked) in this embodiment will 



now be described. 

The local area wireless communicaliua unit 484 of the 
service providing device 400 periodically transmits an 
electronic key transmission request message to the user 
5 module 100 (Step 101) . Upon receipt of the massage at the 
local area wireless communication unit 184 of the user module 
100, the control unit 1 fil pp.rforms the mutual authentication 
processing with the control/unit 481 of the service providing 
device 4UU (Step 102} . The mutual authentication processing 

10 is performed according to "5.2.2 Three pass authentication" 
described in ISO/IBC 9798-2 defined as the mutual 
authentication procedure with the use of a common key, by 
using, for example, the UM authentication key data 110 and 
420 in the user module 100 and the service providing device 

IS 400, respectively- By performing the mutiia.l authentication 
processing in this manner, it is possible to prevent a 
malicious third party trom receiving the provision of 
services through the use of a false user module 100. It is 
also possible to prevent the user module 100 from transmitting 

20 the electronic key erroneously to a false service providing 
device 400 and Lhereby revealing the content of the electronic 
key. 

Also, after the mutual authentication is completed, 
it is preferable to encrypt the contents of the following 
25 transmission messages with the use of a session key or the 
like. There is known a method which uses a random number 
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generated during the xx Three pass authentication" processing 
described above as the session key, 3y encrypting the 
messages in this manner, it ic possible to prevent the 
electronic key fron being revealed through eavesdropping 
5 of the messages - 

Subsequently, Lhe local area wireless communication 
unit 184 of the user module 100 transmits an electronic :<P.y 
transmission message to the service providing device 4 00 
(SfAp 1 03) . it should be noted thai: this message contains, 

10 of all kinds of data held in the user electronic key table 
120, at least the main ID data and the sub ID hisLoxy data. 

The local area wireless communi rat i on unit 484 of the 
service providing device 400 receives the message, and the 
control unit 481 then judges whether the received main ID 

15 data ic present in the service allowance table 430 (Step 
104) . When Lhe main ID data is present {YES in Step 104), 
the control unit 481 judges whether thp sub TD data contained 
in the received sub ID history data ic present in the service 
denial table 440 (step 105) . when any or the sub ID data 

20 contained in the received sub ID history data is present 
in the service denial table 440, Lhe control unit 481 judges 
*the presence", in this judgment. Hence, the provision o.f 
services is denied against the user module in the user key 
table, having The* <nih iu data present in the service denial 

25 table 440 in the sub ID history- Hence/ a user module for 
which the sharing is permitted from the sub ID (a user module 
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of the sharing user in the lower order than the sub ID) can 
no longer be used, which makes it possible to prevent the 
lost or 3tolen user module from being abused, for example, 
by copying the electronic key therefrom. 

Upon judging the absence of the sub ID (NO in Step 105) , 
Lhe uuxiLrul uXiit 481 performs the processing to allow the 
provision of services (Step 10fi) . Tn this embodiment, the 
unlocking processing of the door of the residence ie 
performed. 

Upon judging the presence of the sub ID (YES in Step 
105) , the control unit 481 dealer Lhe provision of services 
and ends the processing (Step 1 07) . In this embodiment, the 
unlocking processing of the door of the residence is not 
performed and the door therefore remains locked. In Lhe 
absence of the main ID in the service allowance table (NO 
in Step 104) , the control unit 4B1 also denies the provision 
of services and ends thp. processing (Step 1U7J . 

The foregoing proccocing described the method by which 
the user module 100 transmits the electronic key by means 
of the local area wireless communication unit 184; however/ 
the electronic key may by transmitted by another method. 
For example, the electronic key may be transmitted by way 
of the network 510 and the network 520. The flow of the 
processing in this case will be described below. In 
comparison with the processing of Fig. 5, this processing 
is different only in the unit of the electronic key 
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transmission/ reception processing (Step 101 through Step 
103) , and the r*st units are the same as those or Fig. 5. 
Hence/ the different unit will be described with reference 
to Fig. b. 

5 Fig. 6 shows the flow of the electronic key 

transmission/ reception processing when the user is to 
receive the provision of services with the use of the user 
Lerutiiicil 200 . 

Upon acceptance of an operation command from the user 

10 at the input unit 283 of the user terminal 200, the UM 
communication unit 286 transmits an electronic key 
transmission request message to the user module TOO (Stftp 
201) • Upon receipt of the message at the UT communication 
unit 1 83 of the user module 100, the control unit 181 performs 

15 the mutual authentication processing with the control unit 
481 of the service providing device 400 {Step 202) . The 
mutual authentication processing is performed vi a the. user 
terminal 200, the network 510, and the network 520. Tho 
authpnti ration Jce.y data used in the mutual authentication 

20 processing/ the mutual authentication procedure, encryption 
of the following messages, etc. are the same as those in 
the processing in Step 102 of Pig- 5. 

Then, the UT communication unit 103 of the user module 
100 transmits an electronic \cay Transmission message to the 

25 service providing device 400 (Step 203) . This message 
transwi ssi nn is the same as the transmission in Step 202 
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in that the message is transmitted via the user terminal 
200 and thp. network 510. Airter the processing in Step 203, 
the service providing device 400 performs the processing 
in step 104 and thereafter described in Fig. 5. 
5 By transmitting the electronic key via the various kinds 

of networks in this manner, it is possible Lo address d. case, 
for example, where an acquaintance of the user who owns the 
user module 100 used as the electronic key visits the user's 
home while the user is out, by unlocking the door ot the 

10 residence by means of the user terminal 2 00 through remote 
control and asking the acquaintance to wait Inside. 

The processing in a case where the electronic key is 
shared among the service users will now be described. Fig. 
7 shows the tiow ot the electronic key sharing processing. 

IS Fig. 11A shows examples of the display screen displayed on 
the user terminal 200 during the sharing processing. In this 
processing, assume that the user module 100 and the user 
terminal 200 owned by the user having the original electronic 
key (hereinafter, reterred to also as the original user) 
2Z " 20 arc a first user module 100 and a first user terminal 200, 

respectively. Also, assume that the user module 100 and Lhe 
user terminal 200 owned by the user who is allowed to share 
the electronic key (hereinafter, referred to also as the 
sharing user) are a second user innriiilp. 100 and a sscond user 

25 terminal 200, respectively. In the examples of the display 
sr.rp.P.n of Fig. llA, the mobile phone number is used as the 
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sub ID. 

initially, upon acceptance of an operation command from 
the original uccr at the input unit 283 of the first user 
terminal 200/ the UM communicaLiun unit 286 transmits au 
electronic key list request message to the first user module 

100 {Step 3 01) . The UT communication unit 183 of the first 
user module 100 receives the message*, and th« control unit 

101 then sets, in an electronic key list response message/ 
as many pairs of the key name data and the main ID data in 
respective records as the stored records in the user 
electronic key table 120. The UT communication unit 183 then 
transmits the electronic: key list response message to the 
first user terminal 200 (Step 302) . 

Upon receipt of the messaqe at the UM communication 
unit 286 of the first user terminal 200, the display unit 
283 displays the received list of the key name data on the 
output apparatus 90fi (screen 31). The input apparatus 905 
of the first user terminal 20 0 then accepts a selection command 
of the key name that the user selected from the list of the 
selection data (Step 303) . 

Subsequexitly , the display unit 285 of the first User 
terminal 200 displays a sub TDdar.a inpur. sr.rp.An on the output 
apparatus 906 (Screen 32) . The input apparatus 905 then 
accepts the sub ID data the user inputted. The sub ID data 
is the dato necessary in case of loss or theft of the user 
module 100 to invalidate the electronic key of this user 
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module 100 alone, and unique data in the group of users sharing 
the electronic key is used as the sub ID data. In this 
embodiment, the mobile phone number of the user is used as 
the sub ID. The UM conmunicaliuu unit 28 6 then transmits 
a sharing start message to the first user module HUH (Step 
304) . This message contains the main ID data selected in 
Step 303 and the sub TD data inputted in Step 304. After 
the transmission of the message, the display unit 285 of 
the tirst user, terminal 200 displays a "COPYING" screen on 
the output apparatus 906 (Screen 33) . 

Upon receipt o£ Ihe message at the UT communication 
unit 183 of the -Pi rat user module 100, the control unit 181 
generates the data of the user electronic key table 12 0 to 
be transmitted to the second user module 100 owned by the 
eharing user (Step 305) . The user electronic key table 1?0 
is a set of data descx-ibed with reference to Fig. 4. The 
main ID data contained in the sharing start message is set 
in the main ID, and the key name of the record specified 
by this main ID data is set in the key name. la the shared 
hierarchy is set the value obtained by subtracting "1" from 
the value ol the shared hierarchy of this record. It should 
be noted, however, that whan the value arter subtraction 
takes a minus numerical value, the control unit 181 judges 
that no further sharing or the electronic key is allowed, 
and ends the processing without performing the processing 
thereafter. In the sub ID history data is additionally set 
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the sub' ID data contained in the sharing atart message. 

Subsequently; the first user module 100 and the second 
user module 100 perform the mutual authentication processing 
(Step 3Ub) . The UK authentication key data 110 held in the 
5 respective user modules is used ae tho authentication keys 
used in this mutual authentication processing. Also, the 
mutual authentication processing is performed via the 
respective user terminals 200 and the network 510. 
Alternatively, the mutual authentication processing may be 

10 performed directly between the firet user module 100 and 
the second user module 100 via their respective local area 
wireless communication units 184. The rest of the mutual 
authentication processing is the same as the processing in 
Step 102 of Fig. b, and so is the encryption of the messages 

IS thereafter. 

Subsequently/ the firsl user module 100 transmits an 
electronic key writing message to the second user module 
100 (Step 307}. In this instance, the message ia transmitted 
through the same transmission path as in Step 306. This 

20 message contains the data of the user electronic key table 
120 generated in Step 305. Upon receipt of the electronic: 
key writing message, the second user module 2 00 appends the 
data (record) of the user electronic key table 120 in the 
message to the existing user electronic. Key table 120 (Step 

25 300) . After this processing is completed, the display unit 
285 of the first user terminal 200 displays a "COPYING IS 
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COMPLETED" screen on the output apparatus 906 (screen 34) . 
With these steps, the electronic key sharing processing is 
completed. 

The user electronic key table 120 in the electronic 
5 key charing processing will now be described. Pig. 8 shows 
a user electronic key table 121 of the first user module 
100 (hereinafter, referred- to as the first us*r electronic 
key table) and a user electronic key table 122 of the second 
user module iuu (hereinafter, referred to as the second user 
10 electronic key table) when "1" is given to the value of the 
shared hierarchy set in the first- user electronic key table 
121. 

The data in the first user electronic key table 121 
remains the same before and after the electronic key sharing 

15 processing. In the second user electronic key table 122 are 
set the key name/ the main ID having the same value as that 
in the first user electronic kay table 121/ and a value W U", 
which is obtained by subtracting from the value of the 

shared hierarchy in the first user electronic key table 121. 

20 Also, the record, in which the mobile phone number inputted 
through the first user terminal 200 is set, is newly appended 
to the sub ID history. In this esse, because* "0" is set in 
the shared hierarchy in the second U3er electronic key table, 
r.hP. sftr.ond user is not able to perform the electronic key 

2S sharing processing, 

Fig. 9 shows the first user electronic key table 121, 



25 



the second uocr electronic key table* 122, a third user 
electronic key table 123 {the user electronic Key table of 
a third user module 100), and a fourth user electronic key 
table 124 (the user electronic key table ol a fourth usyi 
module 100) when "3" is given to the shared hierarchy in 
the fiist usex electronic key table 121 of the original user. 

In the shared hierarchy of the. Rflconri usp.r electronic 
key table 122 is set a value "2" obtained by subtracting 
rt i" from the v^lue of the first user electronic key table 
121, and the same records as those of Fig. 8 are newly appended 
for the rest. Then, in Lhe slmied hierarchy of the third 
user electronic Vey table* 123 is set a value "1" obtained 
by subtracting M" from the value of the seconduccr electronic 
key table 122, and a record/ in which the mobile phone number 
set in the second user electronic key table 122 and a mobile 
phone number inputted through the second user terminal 2 00, 
is newly appended to thft sub ID history. Likewise, in the 
shared hierarchy of the fourth user electronic key table 
124 is set a value *'0", and a record, in which three mobile 
phone numbers are set, is newly appended to the sub ID history. 
In Lhia case, because w 0" is set in the shared hierarchy 
of the fourth user electron! r. kp.y r.ablp., r.he fourth user 
is not able to perform the electronic key charing proccoeing. 

The flow of processing when the electronic key is 
invalidated will now be described with reference to Fig. 
10 and Fig. 11B. Fig- 10 shows the flow of the electronic 
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key invalidation processing. Fig, hb shows examples of 
the Hi splay sr.rp.Rn displayed on the user terminal 200 during 
the invalidation processing. Loss or theft of the uccr module 
1UU is conceivable as a case where the electronic key is 
invalidated. Because Step 401 through Step 405 are the 
processing achievable by any exisliuy web biuwser and WEB 
server, the detailed description thereof is omitted. Also, 
a mobile phone number is used as the sub ID in examples of 
the display screen nf Fig. 11B. 

Initially, the display unit 285 of the user terminal 
200 displays, in response to an operation command from Lhe 
user, a screen which accepts an input of the membershipnumhRr 
dud the password (screen 41), and accepts the input of the 
membership number anc the password from the user. The wide 
area wireless communication unit 284 then transmits a log-in 
request messaqe to the electronic key managing apparatus 
300 {Step 401) . The log-in request message contains th* data 
of the membership number and the password inputted from the 
user. Upon receipt ot the message at the communication unit 
383 of the electronic keymanaging apparatus 300, the control 
unit 381 searches through the client table 330, and judyes 
whether th© inputted membership number is present and 
verifies the inputted password. When the membership number 
is present and the password i * verified, the communication 
unit 303 transmits a service menu display mcccagc to the 
user terminal 200 (Step 402] . when the membership number 
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is absent or the password is unverified, the control unit 
381 ends the processing without performing the pxuuessiuy 
thereafter. The. menu display message contains a command 
identifier or a page description language to enable a menu 
5 screen to be displayed on the output apparatus MUb ot the 
user terminal 200 . Such apage description language includes/ 
for AxamplA, HTML (Hyper -Text Markup Language), 

Upon receipt of the menu display message at the wide 
area wireless, communication unit 284 of the user terminal 

10 200, the display unit 285 displays a menu selection screen 
(Sureeri 42) ou the output apparatus 90G. The input unit 203 
then accepts the menu selection of the user inputted through 
the input apparatus 905/ and the wide area wireless 
communication unit 284 transmits the result tu the electronic 

15 key managing apparatus 300 as a selected menu message (Step 
403) . Upon receipt of the message at the communication unit 
383 otthe electronic Jcey managing apparatus 300, the control 
unit 381 transmits a sub ID input request message to the 
user terminal 200 in a case where it judges that the message 

20 selects the menu for registration of .invalidation 
(invalidation processing) (Step 404) . In this embodiment/ 
assnmfi r.har .r.hfirfl is no service menu other than the 
invalidation processing. 

Upon receipt of the sub ID input request Jaessaqe at 

25 the wide area wireless communication unit 284 of the user 
terminal 200, the display unit 285 displays a sub ID input 
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acceptance screen (screen 43) on the output apparatus 906. 
The input unit 283 then accepts the sub ID data inputted 
through the input apparatus 905/ and the wide area wireless 
communication unit 284 transmits a sub ID registration 
5 message to the electronic key managing apparatus 300 (Step 
405) . This message contains the inputted sub ID data. After 
the message is transmitted', a "REGISTERING INVALIDATION" 
screen (3creen 44) i3 displayed on the output apparatus 906 
of the user terminal 200. 

10 After the communication unit 383 of the electronic key 

managing apparatus 300 receives the sub ID registration 
message, the r.ontrnl unit 381 performs the mutual 
authentication processing with the service providing device 
400 (Step 406) . The authentication keys used iu Lhis 

15 instance are the SD authentication, key data 310 and 410 of 
the electronic key managing apparatus 300 and the service 
providing device 4 00, respectively. Also, the network 
addrccc of the service providing device 400, with which 
communications are to be made/ is the SD address dala in 

20 the client table 330, which is specified from the logged-in 
membership number data. The rest is the same as the mutual 
authentication processing in Step 102 of Fig. 5. 

Subsequently, the control unit 381 of the electronic 
key managing apparatus 300 searches through the clienL table 

25 330, using the membership number data received in the log-in 
processing (Step 402) as the key, and obtains the sub ID 
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(mobile phone number) data corresponding to the membership 
number. The control unit 381 then judges whether Lhe sub 
ID data contained in the sub ID registration massage received 
from the user terminal 200 matches with the phone number 
5 (Step 407) . In a case where the received sub ID data matches 
with the sub ID data in the client table, the user module 
of the original \iser npftds to bp. invalidated due to loss 
or theft. Hence, entire invalidation processing is 
performed to invalidate all the electronic Keys having the 

10 main ID of this user module. On the other hand, in a case 
where the received sub ID data does not match with the sub 
ID data in the r.l j ant table, the user module to be invalidated 
is the one other than the uoer module of the original ueer 
(that is, a user module of the sharing user) . Hence/ ucixliul 

15 invalidation processing is performed to invalidate only the 
user module having this sub ID. The partial invalidation 
processing invalidates a user module which is allowed to 
share the electronic key by this user module having this 
sub ID as well, which makes it possible to prevent Lhe 

20 ill-intended use of the lost user module. 

For the partial invalidation processing, the 
onmTnurn ca t.i on tin it AHA of thft electronic key managing 
apparatus 300 transmits an appending request message to the 
service providing device 400 (Step 408). This message 

25 contains the main ID data of the record of the membership 
number, and the sub ID data in the received sub ID registration 
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message. Upon receipt of the appending request message at 
the communication unit 483 or the service providing device 
400/ the control unit 481 appends one record, comprising 
the main ID data and the sub ID data, to the service denial 
table 440 (Step 409) . In a case where the partial 
invalidation processing ; (Step 409) is performed, the entire 
invalidation processing (Step 410) described hp.low i.s not 
performed, and instead, tbe completion of invalidation is 
notified (step 412) . 

For the entire invalidation processing, the 
communication unit 3 63 ol the elecLruwic; key managing 
apparatus 300 transmits a delation reqiiftst message to the 
service providing device 400 (Step 410). This message 
contains the main ID data of the record of the membership 
number. Upon receipt of the deletion request message at the 
communication unit 483 of the service providing device 400, 
the control unit 481 dftlfifcp.s tha corresponding main ID data 
from the service allowance tabic 430 (Step 411) , 

After the partial invalidation processing or the entire 
invalidation processing is completed, the communication unit 
383 vC Hie electronic key managing apparatus 300 transmits 
a message notifying the completion of invalidation to tb* 
user terminal 200 (Step 412) . Upon receipt of the message 
at the wide area wireless communication unit 284 of the user 
terminal 200, the display unit 285 displays an v INVALIDATION 
IS COMPLETED" screen (screen 4 5) on the output apparatus 
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906. 

With these steps, the processing to invalidate the 
electronic key is completed. 

in this embodiment, the sub ID data stored in the service 
providing device 4 00 or the sub ID data contained in the 
message transmitted Lo Hie serv/ice providing device 400 may 
be encrypted or digested With a unidirectional function. 
When configured in this manner, it is possible to prevent 
the sub ID data, trom being revealed as the service providing 
device 400 is eavesdropped and the interior thereof is 
analyzed (for example, when the phone number is used as the 
sub Tn data, the phone number is revealed) . Examples of the 
unidirectional function include SIIA-1 (Secure Hash Algorithm 
1), MD-5 (Message Digest 5), etc. Examples of encryption 
means include the coitimon-key encryption scheme, such as DES 
(Data Encryption Standard) and AES (Advanced Encryption 
Standard), and a public-key encryption scheme/ such as 
elliptic curve cryptography. 

in this embodiment, the user inputs the sub ID data 
through the user terminal 200/ however, the sub ID data may- 
be pre-s Lured in the user terminal 200 ui Lhe user module 
100 of the original user. In this case, the input of the 
sub ID through the user terminal 200 in the shared key 
generation processing (step 305) in the electronic key 
sharing processing (sec Fig. 7) ic unnecessary, and the 
pre-stored sub lu data is used in generation of the electronic 
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key data to be shared. Al tentatively, the cub ID data may 
be pre-stored in the user terminal 200 or the user module 
100 of the sharing user- In this case, new cub ID data is 
not generated lii the sub id history data in the shared key 
generation processing (Step 305) during the electronic key 
Sharing pruceaainy (see Fig. 7), <md the pttj-stored sub ID 
data is appended to the sub ID history of the user electronic 
key table 120 in the electronic key writing processing (Step 
308) . 

A second embodiment of the present invention will now 
be described. 

This embodiment is an example in a case where an 
electronic key is adapted for use for the door of a rental 
car. Since this embodiment is similar to the first 
embodiment above in many respects, the following description 
will chiefly describe the difference. 

The system configuration of this embodiment is almost 
the Game as the system configuration in the first embodiment 
above (see Fig. l) . In this embodiment, however, the service 
providing device 400 is a device installed at the door of 
a rental udr Lo unlock Ihe dour in response lo the validity 
judgment of the electronic key data. Alt ernat ively, it may 
be a device installed in the vicinity of a rental car to 
release the fixing apparatus of the rental car in response 
to the validity judgment. 

The hardware configuration and the functional 
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configuration are* almost the same as those in the first 
embodiment above (see Fig. 2 and Fig. 3) . 

The data configuration of various kinds of data used 
in the electronic key sysLeiu of Ihis ejubudimtsnt is shown 
in Fig. 12A, Fig, 12BandFig. 12C- For the data configuration 
of various kinds of data, the description of the similar 
rpspftrts with thf> "First embodiment above is omitted and the 
difference will be described below. 

The client table 330 of the electronic key managinq 
apparatus 300 differs from the client table 330 in the first 
embodiment abuve in that it does not include the main ID 
data and the SD address data as data items. In the first 
embodiment above/ the- user and the service providing device 
used by the user (the device installed at the door of the 
user's residence to judge the validity of the electronic 
key) are fixed in advance, and the main ID is therefore set 
in a one-to-one correspondence with the membership number 
(sec the client table 330 of Fig. 4B) . On the contrary, in 
this embodiment/ the relation between the user and a rental 
car the user is going to use is not fixed in advance. Hence, 
it is necessary to correlate the user with the rental car 
at r.hft riming ar whir.h the user chooses the rental car and 
purchaoec the key of the rental car. The electronic key 
managing apparatus 300 of this embodiment therefore includes 
a transaction table 340 and a product table 350 as new tables, 
neither of which. is present in the first embodiment above 
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(3ee Fig. 12B) . 

The transaction table 340 is a table which is used to 
manage the purchase transaction of an electronic key, and 
includes a main ID to identify an individual electronic key, 
5 a product ID to identify the product corresponding to the 
electronic key of the main ID, and a membership number to 
identify the purchaser of thA filer.t.ronir. key of the main 
ID. To the transaction table 340 ic appended a record 
generated at the timing at which the user purchases, the key 

10 of the rental car. 

The product table 350 is a table which is used to manage 
the products to be provided from the service provider, and 
has a product ID to uniquely identify the product (the rental 
car in this embodiment) , a product name indicating the name 

15 of the product, and an SD address as a network address of 
the seivice providing device 400 corresponding to the 
product . 

In this embodiment/ assume that the tables and data 
shown in Fig. 12A, Fig. 12B and Fig. 12C, except for lour 

20 tables specified below, are pre-set in the memory ^02 or 
the external storage apparatus 903 in each component. The 
four tables are the user eiecr.ronir k«y table 120, the 
transaction table 340, the service allowance tabic 430, and 
rhft .service denial table 44 0. 

25 The flow of the processing when the user purchases the 

electronic key will now be described with reference to Fig. 
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13andFig. 14A, Fig. 14B and Fig. 14C. Fig. 13 isa flowchart 
of the processing. Fig. 14A shows examples of the display 
screen onthc user terminal 200 during the purchase processing . 
Fiq. 14B shows examples of Lhe display scxeeai on the user 
5 terminal 200 during the sharing processing .Fig. 11C shows 
examples of the display screen on the user terminal 200 during 
the invalidation processing. And a mobile phone number is 
U3ed a3 the sub ID in these, examples of the display screen. 
Transmission .and reception or messages , the mutual 

10 authentication processing, etc. are basically the same as 
Ihuse in Lhe firs I embodiment above. 

The nsp.r terminal 200 transmits the membership number 
and the password inputted through a "MEMBERSHIP NUM3ER AND 
PASSWORD INPUT SCREEN" (screen 51 of Fig. 14A) Lo Lhe 

15 electronic key managing apparatus 300 (Step 501) . Upon 
receipt of the input of the membership number and the password/ 
the electronic key managing apparatus 301) pertorms Che log-in 
proccecing with reference to the client table 330, and 
transmits a menu screen (screen 52) to the user terminal 

20 200 (Step 502) . The foregoing processing is the same as the • 
invalidation processing (see Pig. 10 and Pig. 11) of the 
tirst embodiment above- ir. should b* noted, however, that 
the contents displayed ac the menu differ between the screen 
52 (Fig. 14A) and the screen 42 (Fig. 11A) . 

25 The flow of the processing in a case where a "PRODUCT 

PURCHASE" menu is selected on the menu screen (screen 52) 
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will now be described. The electronic key invalidation 
processing performed In a case where ^REGISTRATION OF 
INVALIDATION" is selected will be subsequently described 
below. 

Upon acceptance of the selection of the "PRODUCT 
PURCHASE" menu at the input unit 203 of the user terminal 
200 , thfi wiriA arpA wirAlfts.s noimmmir.at.ion unit 28 4 transmits 
the information of the selected menu to the electronic key 
managing apparatus 300 (Step 503) . upon acceptance of the 
message at the communication unit 383 of the electronic key 
managing appaiatus 300, the control unit 381 searches through 
the product table 3b0, and obtains more than one pair of 
the product ID data and the product name data, which is 
transmitted to the user terminal 2 00 by the communication 
unit 383 (Step 504) . Upon receipt of the data at the wide 
area wireless communication unit 284 of the user terminal 
200, the display unit 285 displays a product list screen 
(screen 53) on the output apparatus 906 on the basis of the 
received data, andaccepts aninputas to theproduct selection 
by the user (Step 505) . The wide area wireless communication 
unit 284 then transmits the product ID data of the product 
arcfiptRd at the input unit 283 of the user terminal 200 r.n 
the electronic key managing apparatuc 300, after which a 
"DOWNLOADING" screen (screen 54) is displayed on the output 
apparatus 906. 

After the communication unit 383 of the electronic key 
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managing apparatus 3 00 rcccivce the product ID data, the 
control unit 381 performs the mutual authentication 
processing with, the user module 100 (Step 506) • The 
authentication keys used in this instance axe Lhe UM 
authentication key data 320 of the electronic key managing 
apparatus 300 and the UM authentication key data 110 of the 
user module 100. 

The control unit 381, of the electronic key managing 
apparatus 300 .then performs generation processing or the 
main ID data and the sub ID data (Step 507) . A unique data 
value different from the main ID dala ul Uie alt eady-issued 
electronic keys is used as the ma i n TD data to b« discriminated 
from these electronic keys. For example, the electronic key 
managing apparatus 300 may manacre serial numbers while 
counting up the value thereof each time an electronic key 
is issued, so that the counted-up value is used as the data 
value. Per the sub TH data, it is sufficient to set a data 
value that i3 unique in a group of the users sharing the 
issued electronic keys, and a mobile phone number of the 
user is used as the sub ID data in this embodiment. 

The uoiiLrol mill 381 of the electronic key managing 
apparatus 300 then generates the e.lectroriic V«y dar.a having 
key name data, main ID data, shared hierarchy data, and sub 
id history dsta (step 508) . In the key name data is set the 
product ncmc data in the product table 350 r specified by 
using the product ID data received in Step 505 as the search 
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key. In the main ID data and the sub ID history data are 
sec the main ID data and the sub ID data generated in Step 
507, respectively. As with the first embodiment above, in 
the shared hierarchy Uald is set specific numerical value 
5 data indicating a range within which the electronic kpy can 
be shared. In addition, the control unit 381 of the 
fil Ar.t.rnni r k*y managing apparatus 300 newly appends the 
record having the main ID data, the product ID data, and 
the membership number data described above, to Lhe 

10 transaction table 340. 

The control unit 381 of the electronic key managing 
apparatus 300 then performs the mutual authentication 
processing with the service providing device 400 (Step 509) . 
The authentication keys used in this instance are the SD 

15 authentication key data 310 of the electronic key managing 
apparatus 300 and the SD authentication key data 410 of the 
service providing device 400 . The corresponding SD address 
data in the product table 350 is set as the network address 
of the service providinq device 400 with which communications 

20 are to be made. The corresponding ST) address data is 
specified by using the product ID data received in Step 505 
as the SAarr.h lefty. 

The communication unit 383 of the electronic key 
managing apparatus 300 then transmits a regis txatiun request 

25 message, containing the main ID data generated in Step 507, 
to the service providinq device 400 (Slep 510) . 
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Upon receipt of the registration request message at 
uhe communication processing 483 of the service providing 
device 400 # the control unit 481 appends the main ID data 
thus received to the service allowance table 430 (Step 512) . 
5 The communication unit 383 of the electronic key 

managing apparel I us 3 00 then tiausiuits an electronic key 
writing message, containing the electronic key data 
generated in Step 500 f to the user module 100 by way of the 
UM communication unit 2«b of the user terminal 200 (Step 

10 511} . Upon receipt of the electronic key data at the UT 
communication unit 183 of the user module 100/ the control 
uni t 1 8.1 appends the electronic key data to the user el ectroni.e 
key table 120 (Step 513), after which a completion screen 
(screen 55) is displayed on the output apparatus 906 or the 

IS user terminal 200. 

With these steps, the process ing when the user purchases 
thfc el ect ronic key is completed . Thi s processi rig all nws the 
user to receive the provision of services (the purchase of 
the key of a rental car) through the use of an electronic 

20 key even when the user uses an arbitrary service providing 
device lhaL is no I fixed in advance. 

The electronic key usage processing and the electronic 
key sharing processing are the same as those in the first 
embodiment above (see Fig. 5, Fig. 6 and Fig. 7) . Fig. 14B 

25 chows the display screens on the user terminal 200 during 
the electronic key sharing processing. 
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The electronic key invalidation processing differs 
from the counterpart in the first embodiment above (see Fiq. 
10) in the following respects. That is, in this embodiment, 
the nelwork address ol the yeivice providing device 400, 
with which communications are to be made during the mutual 
authentication processing (Step 406) , is the SD address data 
in the product tabl e 350 .spirit ied from the membership number 
data received in the log-in processing (Step 502) • To be 
more specific, the product ID is specified from the 
transaction table 340 by using the membership number data 
as the search key, and the SD address data in the product 
table 3bU is then specified by using the product ID thus 
specified as the search key. 

Also, the main ID data cunLained in the messages 
transmitted in the partial invalidation processing {Step 
406) and the entire invalidation processing (Step 410) is 
obtained by searching through the transaction table 340 by 
using the membership number data received in the log-in 
processing (Step 402) as the search key. Fig, 14C shows Lhe 
display screens on the user terminal 200 during the el ectronic 
key invalidation processing. 

The above description has described the second 
embodiment of the invention. The foregoing processing, as 
in the first embodiment above, makes it possible Lo achieve 
not only the entire invalidation processing which 
invalidates all the user modules havinq the same main ID, 
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but also the partial invalidation processing which 
Invalidates only the user module having the corresponding 
sub ID, even when .the user uses an arbitrary service providing 
device which is jioL li^ed in advance. 

As has been described, according to the invention, even 
when the services are used jointly by sharing the electronic 
key among plnraJ users, not all the electronic keys are 
nccccccraly invalidated when the electronic key of any one 
of the users is invalidated due to loss or theft. In other 
words, it is possible to prevent an unwanted event that when 
one user lost the electronic key (or the electronic key is 
stolen) and the electronic key is invalidated, the use of 
the cervices is invariably denied againet all the users who 
shares the electronic key with this user. 

It should be appreciated that the invention is not 
limited to the embodiments above, and the invention can be 
modi tied in various manners within the scope thereof- for 
example, the invention can be used as an electronic key of 
a rental conference room, an electronic key of a hultil room, 
an electronic key of an electronic .locker, etc. 

For example, in the usage processing in the first 
embodiment above, the service providing device 400 includes 
the service allowance table 430 and the ecrvice denial table 
440 to judge allowance or denial of the provisiox: of services . 
However, the electronic key managing apparatus 300 may hold 
the service allowance table 430 and the service denial lable 
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440 for the respective service providing devices 400 to judgfc 
allowance or denial of the provision or services . To be more 
specific/ it is conceivable that the electronic key managing 
apparatus 300 is sex: as the transmission deslixialiun of the 
electronic key transmission (Stop 103) of Fig. 5, so that 
the eleclronic key mcuictyiiig apparatus 300 judges allowance 
or denial of the provision of services (StP.p 104 through 
Step 107) and transmits the judgment result to the eervice 
providing device 41) U . 

Also, in the sharing processing in the first embodiment 
above/ the user module 100 includes Ihe user electronic key 
table 120 and generates the el ectronl r. \ce>y data to be shared. 
However, the electronic key managing apparatus 300 may hold 
the user electronic key tables 120 of the respective user 
modules and manages them collectively, so that it generates 
Ihe electronic key data to be shared in response to a sharing 
request form the user terminal - To be* more specific/ it is 
conceivable that the electronic key managing apparatus 300 
is set as the transmission destination of the acquisition 
of the electronic kay list (Step 301) of the first user 
terminal 200 in Fig, 7 , t>o lh*t the electronic key managing 
apparatus 300 performs the processing ot the f i rsr. user module 
100 thereafter (response to the electronic key list/ 
gpnp.rar.ion of the electronic key to be shared, etc-). 

Aa has been described; according to the invention, it 
is possible to use the services jointly by sharinq the 
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electronic key among plural users. Also, in a case where 
the electronic Key being shared Is Invalidated/ either all 
or only some of the shared electronic keys can be invalidated. 

i 

i 
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